example.com:10000 uses an invalid security certificate. The certificate expired on March 28, 2017 at 12:01 AM. The current time is April 11, 2017 at 10:40 AM. Error code: SEC_ERROR_EXPIRED_CERTIFICATE
But if I go to the normal domain, without specifying the port (so to 443 port) all seems ok, the cert says that its Period of Validity is from March 12, 2017 and June 11, 2017.
Perhaps one of the virtualhosts (or the service running on port 10000) is referring to the certificate/private key in the /archive/ directory in stead of the symbolic links in /live/?
What service uses that port 10000 anyway? Is that service reloaded after the certificate renewal?
IIRC, Webmin uses port 10000, and would require its own independent certificate configuration. https://www.digicert.com/ssl-certificate-installation-webmin.htm appears to describe the process. From that page, it doesn’t appear possible to simply point webmin to another existing cert file, but it shouldn’t be too hard to come up with a script automating those steps on renewal.